> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> At 04:54 PM 2002-06-16, Luke Howard wrote:
>
> >>This is basically the same as passing through the SASL
> >>bind request/responses EXCEPT the authenticating server
> >>knows it [is] doing [it] for the middle box and hence can prepare
> >>a response which can be relayed to the end client.
> >
> >In what cases would this be necessary?
>
> Any mechanism with man-in-the-middle protection... e.g. DIGEST-MD5.
No part of the DIGEST-MD5 exchange is dependent on the individual machines
in the transaction. As such, DIGEST-MD5 has no man-in-the-middle protection.
Also see http://www.ietf.org/rfc/rfc2831.txt section 3.6 which states
Digest authentication is vulnerable to "man in the middle" (MITM)
attacks.
The only way to defend against this is to secure the channel between the
authenticating server and the proxy.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.comhttp://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support